Managing LDAP groups and roles through SUN IDM

Similar Messages

• LDAP groups and WebLogic Roles - Urgent ( weblogic 6.1 sp1, iPLanet 5.1)

  I have 2 questions and these are very urgent :-
  1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
  2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
  contractactors and employess. How do I map LDAP group contractors to weblogic security
  Role contractors? Similarly for employees ?
  2. I have not defined contarctors and employeees under People container in IPlanet.
  e.g. The RDN for contractor is
  uid=1234,ou=dir,dc=orams,dc=com
  Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
  under People ) OR I have to write my own custom code ?
  3. I am planning to use Roles insetad of groups to manage the logical grouping in
  iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
  parameters ?)
  This is very urgent ....so if any of you can throw any hints that will be greatly
  appreciated.
  --Sunita

  Hi Ariel,
  The driver is bundled with the product in WLS 6.1sp1. you don't have to
  download any additional driver. Use it as you normally would only thing to
  remember is if you are trying to write standalone java code then you have to
  have weblogic.jar in your classpath. For the rest of the info follow the wls
  docs for 6.1
  HTH
  sree
  "Ariel" <[email protected]> wrote in message
  news:3bb4a643$[email protected]..
  We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
  downloaded the JDriver from bea.com, but all the istructions that camewith
  it are for WLserver 5.1.
  What has to be done to do this with 6.1 sp1?
  Thanks,
  Ariel

• Making users available for OpenSSO realm group and role assignment?? Help.

  Here is the situation. We have 3 Open SSO realms set up. One we have called OpenSSO-Admin, a second called OpenSSO-Provider and a third OpenSSO-Internal. We are having issues provisioning and managing the OpenSSO-Internal OpenSSO-Provider realms, but OpenSSO-Admin seems to be fine.
  Here is the behavior that is manifest.
  In the 2 'broken' realms, when we create users and assign them to the appropriate Open SSO realm, they appear to be provisioned correctly in IDM as well as the realm (We have validated user creation in LDAP and everything about the user appears to be fine). When we view the groups and roles in the specific resources, we are presented with a list of users that are in Brackets and appear to be provisioned. The brackets indicate that the users are not found as available users. The bracketed users can not be unassigned, nor can any others. note, our bracketed users in the list of assigned users are created from a workflow which assigns them directly to the appropriate group and role based on their business role.
  The third realm, OpenSSO-Admin works fine and we can add, and manage users in the groups and roles within the realm.
  We have ruled out the workflow as a source as the problem persists when we use the tool to manage users. We can create a user from scratch and add them to the realms. In the 'Broken' relms, the users do not appear in thelist of available users to be assigned to the groups or roles. Yet in the 'good realm, everything appears fine. We can move users from one realm to another and the problem persists in the broken realms, but when a user is added to the 'good' realm, everything is fine.
  I have tried reconciling and get no different results.
  Question is, We have isolated that the issue seems to be in the generation / management of the left hand "Available Users" list. How and where is this generated from and how can we check/fix or regenerate this list?
  Thanks.
  Joe

  I should clarify. We are using Sun IDM 8.1

• Difference between Groups and roles?

  Hi All,
  What is the difference between groups and roles?
  Thanks for your time and help.

  Oracle does not have anything called a 'group'.
  A role is a named object that can contain a set of privileges. The members of the set can be individual privileges or can be another role that contains its own set of privileges. Roles can then be granted to users (or to other roles) so that those users (or roles) have the specified privileges.
  See the SQL Language reference - http://docs.oracle.com/cd/B28359_01/server.111/b28286/toc.htm
  Read the topics for CREATE ROLE, GRANT and REVOKE

• Sun IDM - Ways to manage 'nisNetgroup' on LDAP through Sun IDM

  Hi,
  I need to manage nisNetgroup on Sun Directory server resource through Sun Identity manager.
  Please share any ideas/way to acheive it.
  Thank you.
  Regards,
  Prabhu

  I can't confirm this works, but I think you should be able to add a new ObjectType to your LDAP resource configuration...i.e. something like the following.
  (I just copied and pasted one of the default ObjectType definitions and altered it to match the LDAP nisNetgroup objectclass and its
  attributes (defined in draft-howard-rfc2307bis).)
  <ObjectType name='nisnetgroup' nameKey='nisnetgroup' icon='group'>
  <ObjectClasses primary='nisnetgroup' operator='OR'>
  <ObjectClass name='nisnetgroup'/>
  </ObjectClasses>
  <ObjectFeatures>
  <ObjectFeature name='create'/>
  <ObjectFeature name='update'/>
  <ObjectFeature name='delete'/>
  <ObjectFeature name='rename'/>
  <ObjectFeature name='saveas'/>
  </ObjectFeatures>
  <ObjectAttributes idAttr='dn' displayNameAttr='cn' descriptionAttr='description'
  objectClassAttr='objectclass'>
  <ObjectAttribute name='cn' type='string'/>
  <ObjectAttribute name='description' type='string'/>
  <ObjectAttribute name='nisNetgroupTriple' type='string'/>
  <ObjectAttribute name='memberNisNetgroup' type='string'/>
  </ObjectAttributes>
  </ObjectType>
  Hope this helps.
  Regards,
  Alex

• How to access the mapping of Groups and Roles in the JAVA Application

  We have mapped the EJB roles with the groups through the Visual Administrator. We have developed the SSO. We have developed the application through which we are creating the user and role and mapping that role with the created user. The created role is saved in some LDAP directory. The second application in which ejb methods are mapped with some security roles.The LDAP roles we are getting in Netweaver as groups and we can perform the mapping of the deployed ejb roles with the group.Now for the logged in user we want to get the roles mapped with it so that we can give/deny the access to the methods from EJB as per the role of that user .How we will get the access to the mappings of the roles with the group in the application, if I know the LDAP roles mapped with the user (since these roles are accessible as groups in the NetWeaver)
  For e.g.  From application created the user with the role as "manager". This role is stored in iPlanet directory.
  This directory is mapped in the Netweaver.The manager role is displayed as the group in the Netweaver.
  Created the EJB application with the method "displayTheAccountDetails() with the role as "ManagerRole"
  This role is mapped with the manager group. Now we are having the details about the logged in user and the LDAP roles mapped to it (maneger role). How I will get the access to the details that for this group which ejb role is mapped in the application. So depending on that I can allow/deny the access to the ""displayTheAccountDetails()" method to the logged in user.

  Do you, guys, work together?
  See the last answer in this thread: How database works in UCM?

• Renaming a managed LDAP group from a workflow

  Does anyone know how to rename an ldap group from within a custom workflow? The closest thing i've found is the resourceobjectrename.jsp that is called from the admin interface.
  Thanks,
  David

  Emir,
  Thanks for the response!   The version we are using is 2006.0.7.1.   The scenario I gave was only an example...   We are looking to address a dictionary permission issue due to regulatory issues.   We have fields in LDAP that contain the regulatory rules and have a need to permission dictionaries (read access) based on these rules.
  Just curious...how do you setup filters to ignore users?   Is this manually managed?  &

• Defualt group and role size

  What is the default size or number of charachters allowed while creating a group or role in Oracle Identity Manager?

  Default it is 30.
  See Formmetadata.xml
  <Attribute name="-30" label="UserGroupAdmin.message.groupName" displayComponentType="TextField" variantType="String" dataLength="30" map="Groups.Group Name" />
  You can modify it. If you want to increase it then you'll have to increase it at the database level also.
  alter table UGP modify UGP_NAME varchar2(2000 char);
  Don't forget to restart the server.

• Advanced Group Policy Management - On privileges and roles

  Hello!
  We are rolling out AGPM 4.0 SP2.  Seems to work well enough.
  We currently have more than one set of standard permissions.  For example, our Citrix team controls GPOs for Citrix, our Desktop team controls GPOs for desktops, etc.
  Is there no way to delineate this in AGPM?
  My first thought was that I could use PowerShell to rapidly set, and regularly audit and auto-correct these privileges.  True to Group Policy form, there is limited PowerShell support - in this case, none at all.
  My second thought was that templates might include AGPM roles.  So I could say 'Group X has privileges to Template A,' 'Group Y and Z have privileges to Template B,' and so forth.  When I create a template, it would include those permissions.
   Nope.
  I'm all for opening up access, but this might be a tough sell.  Am I the only one who has disparate security boundaries around group policies?  Am I overlooking a solution to this?
  Thanks!
  RCM

  Have you thought about multiple AGPM Servers, one for each group? Each AGPM store could utilize separate standard permissions and control the subset of policies which are within the scope of the
  group. You can even
  use Group Policy itself to manage a multiple AGPM Server environment.
  Brandon
  MDOP on the Springboard Series on TechNet

• Is there User Group and Role Reporting in SAP Enterprise Portal?

  I want to know if there is a way to pull users statistics our of SAP Enterprise Portal like you can out of the R3 backend systems.
  I would like functionality similar to the SUIM transaction. I know through user administration you can access any user, even a list of all users, and you can do similar lists with roles and groups. You can then access any of these things individually and look at their assignments. However, I want to do this on a large scale. I want to know for example every group that has a user assigned to it. Evergroup that has roles assigned to it. Or groups that have no user or role assignments. We have approximately 1904 groups in our Production Portal system and I am trying to clean up the groups that have no user assignment, but I don't want to look through them one by one.

  Hi Chris,
  There is no standard report available for this purpose. However all this information is stored in table UME_STRINGS.
  You can write your own SQL queries to generate such reports. However please note that this table is not normalized, and it's a master UME table. You should use it strictly for READ ONLY purpose.
  For a sample code you which i wrote some time back, you might refer:
  http://forums.sdn.sap.com/thread.jspa?threadID=2088099&messageID=10859334#10859334
  Thanks
  Prashant

• Chart Work Items by group and role

  Hi,
  I need to create a chart or a dashboard (I'm not sure) where I can see the workload on participants that have a specific role and belong to a determined group

  Since you are using LDAP what you are trying to do?
  Just in case you want to split user based on groups then; if possible to categorize users based on groups in ldap, so that may use them in security.
  if not as I said earlier go with your own table with available info from ldap.
  Thanks
  Edited by: Srini VEERAVALLI on Jan 7, 2013 11:57 PM

• Managing service profiles and servers through UCS Central

  Hello,
  I am designing a workflow for automating server installations through PXE boot with global service profiles.
  it creates a (global) SP and assigns a server for it, but then changing boot policy for the SP does not work, I assume because the SP is created from a template. Also Director seems to miss the required tasks to boot the SP/server through Central, and server assign return ucs server identity as empty so the UCS tasks do not work either.
  Any suggestions how this can be done besides using local SPs in manager?

  Hi Dani,
  Global Service Profiles fall under the Organization structure.     And the Organization structure/hierarchy has no relationship/dependency to Domain Groups.
  So limitting visibility of Global Service Profiles/Templates to certain Domain Groups --- no, you'd have to limit them within an Organizational context.
  Hope this helps,
         -Jeff

• Managing users, groups and shares with Mavervicks server

  I recently upgraded from Snow Leopard Server to Mavericks.
  In Snow Leopard, WorkGroup manager was the primary way to create shares, users and groups. Now it would seem that it is optional and in fact, I do not even see how to create a share in WorkGroup except for perhaps a group share which I'm not quite sure how to do.
  For my setup, I have setup Open Directory and create a few Local Network users. DHCP is managed via my airport and the DNS is on but only for server and points to my Airport IP address.
  QUESTIONS:
  Should I be managing users with WorkGroup manager or server app, Whats the advantage? 
  I don't have user profiles (files) stored on the server they are local. That being the case, why does each user have a network folder on the server?
  Thanks!

  Workgroup Manager and MCX are deprecated.  These technologies should only be used if you can not accomplish your tasks with Server.app and Profile Manager.  If you have specific requirements that can not be satisfied in Server.app and Profile Manager you should send feedback to Apple.
  So to your questions:
  Should I be managing users with WorkGroup manager or server app, Whats the advantage?
  I don't have user profiles (files) stored on the server they are local. That being the case, why does each user have a network folder on the server?
  1:  Ideally, no.  Unless...  You are supporting machines prior to 10.8.5 or can not find an equivalent function in Server.app and Profile Manager.  There is no advantage to using it.  Apple will eventually stop distributing it.  It is available now for legacy support only.  If you have a need for MCX management then WGM remains viable.  But, ideally, you should be looking to Profile Manager.
  2:  This is because you created your accounts using Local Home Folder template instead of None - Services Only.  The Local Home Folder template has the unfortunate side-effect of creating a user home folder on the server.  I too dislike this.  If you only want to use the accounts for services, then you should create the accounts using None - Services Only.  By the way, it is safe to delete these home folders if you would like.
  Reid
  Apple Consultants Network
  Apple Professional Services
  Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

• Managing several groups of machines with Sun update manager.

  I have tested the Update Connection with a few machines for a while
  and it seems ok, but if I were to move all my machines to using Update Manager then I would need some sort of grouping similar machines together.
  Now it looks to me that everything is one big list.
  Is there any way to organize machines so test and production is not in the same long list and perhaps servers and desktops are separated? If not I guess I am not the only one missing such a feature..
  Best regards,
  Thomas

  Thomas,
  Assuming you are referring to the systems and how they are grouped/displayed on the Update Connection web portal, there is currently no way to group hosts however it is a feature which is in development for a future release.

• Mapping LDAP Groups to SAP Roles

  Hi there,
  i am trying to build up a synchron usermanagement with a LDAP-Server between EP, Web AS Java and Web AS ABAP.
  My thought is to administrate the users in the LDAP-Directory. The users will be assigned to groups.
  In EP and Web AS Java its no problem to assign these groups to roles and then just change the Users in the LDAP-Group and reach a synchron usermanagement.
  In Web AS ABAP it seems impossible to assign roles to groups.
  <b>The question is, is it possible to map ldap groups with the ldap connector of the web AS ABAP to Roles in an ABAP System?</b>
  Or is there another way to administrate users in different systems?
  Thanks alot for your answers,
  stefan

  Hi
  in this case u have to use the concept of central user administration. use the following links
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/asug-biti-03/cua with sap webas, ldap and third party software
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/user management and authorizations overview.pdf
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/dotnet/integration of sap central user administration into microsoft active directory.pdf
  hope this helps u to get fair bit of idea
  don,t forget to give points
  With regards
  subrato kundu